GAO-13-157, PROTECTING DEFENSE TECHNOLOGIES: DOD ...
GAO-13-157, PROTECTING DEFENSE TECHNOLOGIES: DOD ...
GAO-13-157, PROTECTING DEFENSE TECHNOLOGIES: DOD ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>GAO</strong><br />
United States Government Accountability Office<br />
Report to Congressional Committees<br />
January 20<strong>13</strong><br />
<strong>PROTECTING</strong><br />
<strong>DEFENSE</strong><br />
<strong>TECHNOLOGIES</strong><br />
<strong>DOD</strong> Assessment<br />
Needed to Determine<br />
Requirement for<br />
Critical Technologies<br />
List<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong>
January 20<strong>13</strong><br />
<strong>PROTECTING</strong> <strong>DEFENSE</strong> <strong>TECHNOLOGIES</strong><br />
<strong>DOD</strong> Assessment Needed to Determine Requirement<br />
for Critical Technologies List<br />
Highlights of <strong>GAO</strong>-<strong>13</strong>-<strong>157</strong>, a report to<br />
congressional committees<br />
Why <strong>GAO</strong> Did This Study<br />
<strong>DOD</strong> spends billions of dollars on<br />
sophisticated weapon systems and<br />
technologies to maintain military<br />
superiority. Such technologies are<br />
vulnerable to exploitation when<br />
exported, stolen, or lost during military<br />
missions. To identify critical<br />
technologies and help minimize these<br />
risks, <strong>DOD</strong> established the MCTL—a<br />
technical reference—as well as a<br />
compendium of worldwide emerging<br />
technologies. In 2006, <strong>GAO</strong> reported<br />
that the MCTL was out of date and not<br />
meeting users’ requirements, and<br />
subsequently included the list as a key<br />
component of <strong>GAO</strong>’s high risk area on<br />
protecting critical technologies. This<br />
report updates <strong>GAO</strong>’s 2006 work and<br />
reviews the extent to which 1) <strong>DOD</strong><br />
has addressed weaknesses in<br />
updating and maintaining the MCTL,<br />
and 2) agencies use the MCTL as a<br />
resource in identifying critical<br />
technologies. <strong>GAO</strong> reviewed laws,<br />
directives, and guidance, as well as<br />
documentation of <strong>DOD</strong> actions since<br />
2006 to address MCTL concerns and<br />
interviewed officials from <strong>DOD</strong> and the<br />
Departments of Commerce, State, and<br />
the Treasury.<br />
What <strong>GAO</strong> Recommends<br />
<strong>GAO</strong> recommends that <strong>DOD</strong> take<br />
steps to (1) determine the best<br />
approach for meeting users’<br />
requirements for a technical reference<br />
to consistently identify critical<br />
technologies, whether it be the MCTL<br />
or an alternative and (2) ensure<br />
adequate resources are available to<br />
sustain the approach chosen. Further,<br />
if <strong>DOD</strong> determines that the MCTL is<br />
not the optimal solution, it should seek<br />
necessary relief from its responsibility<br />
to develop the list. <strong>DOD</strong> concurred with<br />
<strong>GAO</strong>’s recommendations.<br />
View <strong>GAO</strong>-<strong>13</strong>-<strong>157</strong>. For more information,<br />
contact Belva Martin at (202) 512-4841or<br />
martinb@gao.gov.<br />
What <strong>GAO</strong> Found<br />
While the Department of Defense (<strong>DOD</strong>) took steps to address previously<br />
identified weaknesses in updating and maintaining the Militarily Critical<br />
Technologies List (MCTL), the list remains outdated and updates have ceased.<br />
For example, <strong>DOD</strong> has solicited users’ requirements and feedback on the MCTL,<br />
and added a search engine capability to improve navigation of the list and<br />
updated each technology section at least once. <strong>DOD</strong> also determined the list’s<br />
purpose is to support export control decisions and in October 2008, issued an<br />
instruction that (1) recognized the list’s usefulness for other <strong>DOD</strong> programs and<br />
activities and (2) outlined the roles, responsibilities, and procedures for updating<br />
and maintaining the list. However, in 2011, <strong>DOD</strong> cut funding for the program<br />
from $4 million in prior years to about $1.5 million and ceased MCTL content<br />
updates. Subsequently, <strong>DOD</strong> removed the public version of the list from the<br />
Internet, and officials posted a disclaimer for the restricted version noting that the<br />
list should only be used for informational purposes as it had not been updated.<br />
Similarly, the compendium of emerging technologies is outdated and two<br />
sections have not been updated since 1999. Program officials from the Militarily<br />
Critical Technologies Program have devised a plan to improve how MCTL<br />
content will be updated in the future, including relying on contributions from the<br />
user community, but implementation of the plan has been limited due to funding<br />
constraints. However, program officials have yet to get input from users to agree<br />
to this approach and would still require additional funding to implement it.<br />
The MCTL is not used to inform export decisions—its original purpose. Export<br />
control officials from <strong>DOD</strong> and the Departments of Commerce and State<br />
reiterated their longstanding concern that the MCTL is outdated and too broad to<br />
meet export control needs. <strong>DOD</strong> officials who provide input on the criticality of<br />
technologies as part of export license determinations and reviews of foreign<br />
acquisition of U.S. companies told us that they do not rely on the MCTL to inform<br />
their decision making despite <strong>DOD</strong> guidance to do so. Instead, they consult their<br />
own network of experts, which they consider to be a more reliable source to get<br />
current technology information. Other <strong>DOD</strong> programs to protect critical<br />
technologies need a technical reference such as the MCTL and have integrated<br />
the list to help inform decision making. For example, the MCTL has been fully<br />
integrated into <strong>DOD</strong>’s anti-tamper critical technology tool, which is designed to<br />
facilitate analysis and decision making to protect the most valuable military<br />
assets from tampering when exported or lost in military missions. Also, to inform<br />
its analysis of industrial espionage activities such as foreign targeting of U.S.<br />
technologies, the Defense Security Service relies on the MCTL to identify overlap<br />
and connections between different technology categories. With the suspension of<br />
MCTL updates, these programs are seeking alternatives, and in one case,<br />
developing their own technical reference which could result in inefficient use of<br />
resources. <strong>DOD</strong> officials working with MCTL users have an opportunity to<br />
coordinate efforts and help minimize inconsistent approaches to identify critical<br />
technologies and any potential duplication of effort.<br />
United States Government Accountability Office
Contents<br />
Letter 1<br />
Background 3<br />
Despite <strong>DOD</strong>’s Actions to Address Weaknesses, MCTL Is Outdated<br />
and Updates Have Ceased 7<br />
MCTL Is Not Being Used for Its Original Purpose, and Other<br />
Programs Face Challenges Because It Is Outdated 12<br />
Conclusions 18<br />
Recommendations for Executive Action 18<br />
Agency Comments 19<br />
Appendix I Scope and Methodology 21<br />
Appendix II U.S. Government Technology Protection Programs 23<br />
Appendix III Comments from the Department of Defense 24<br />
Appendix IV <strong>GAO</strong> Contact and Staff Acknowledgments 26<br />
Tables<br />
Table 1: Technologies Covered by the MCTL 7<br />
Table 2: U.S. Government Programs for the Identification and<br />
Protection of Critical Technologies 23<br />
Figures<br />
Figure 1: Key elements of a MCTL technology datasheet 6<br />
Figure 2: MCTL Section Updates by Calendar Year 10<br />
Page i<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Abbreviations<br />
<strong>DOD</strong><br />
DSS<br />
DTSA<br />
MCTL<br />
Department of Defense<br />
Defense Security Service<br />
Defense Technology Security Administration<br />
Militarily Critical Technologies List<br />
This is a work of the U.S. government and is not subject to copyright protection in the<br />
United States. The published product may be reproduced and distributed in its entirety<br />
without further permission from <strong>GAO</strong>. However, because this work may contain<br />
copyrighted images or other material, permission from the copyright holder may be<br />
necessary if you wish to reproduce this material separately.<br />
Page ii<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
United States Government Accountability Office<br />
Washington, DC 20548<br />
January 23, 20<strong>13</strong><br />
Congressional Committees<br />
Each year, the Department of Defense (<strong>DOD</strong>) spends billions of dollars to<br />
develop and produce sophisticated weapon systems and technologies to<br />
maintain military superiority. The growing complexity and availability of<br />
these systems and technologies pose risks to U.S. national security<br />
interests. There have been increasing attempts by foreign entities to<br />
obtain illegal or unauthorized access to U.S. sensitive or classified<br />
information and technology, such as information systems, lasers, optics,<br />
and sensor technologies, which are among the most targeted<br />
technologies by foreign entities, according to the Defense Security<br />
Service (DSS). Identifying which technologies are critical to U.S. interests<br />
helps counter the threats of unauthorized access to U.S. technologies<br />
which are at risk of exploitation when exported, stolen, or lost or damaged<br />
during combat or routine missions. Failure to do so, accurately and<br />
consistently, could significantly enhance the military capability of a<br />
potential adversary and may result in insufficient protection of those<br />
systems, thereby increasing U.S. national security and economic risks.<br />
To help minimize these risks, <strong>DOD</strong> invests resources to develop and<br />
maintain the Militarily Critical Technologies List (MCTL). The Export<br />
Administration Act of 1979 established the MCTL and required <strong>DOD</strong> to<br />
identify technologies possessed by the U.S. and which, if exported, would<br />
permit a significant advance in the military system of another country. 1<br />
Since then, the list has expanded to capture technology capabilities<br />
developed worldwide. In 2006, we reported on several challenges facing<br />
the MCTL including that it was significantly out of date and not meeting<br />
users’ requirements. 2 At that time, we made a number of<br />
recommendations to improve the utility of the list and subsequently<br />
included the identification of critical technologies as a key component of a<br />
1 50 U.S.C. app. §§ 2401-2420. Authority granted by the Act lapsed on August 20, 2001.<br />
However, the President has, to the extent permitted by law, kept in effect the provisions of<br />
the Act and its implementing regulations through Executive Order <strong>13</strong>222 of August 17,<br />
2001 (66 Fed. Reg 44,025). Executive Order <strong>13</strong>222 was most recently extended by<br />
Presidential Notice on August 15, 2012.<br />
2 <strong>GAO</strong>, Defense Technologies: <strong>DOD</strong>’s Critical Technology Lists Rarely Inform Export<br />
Control and Other Policy Decisions, <strong>GAO</strong>-06-793 (Washington, D.C: July 28, 2006).<br />
Page 1<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
<strong>GAO</strong> high risk area on protecting technologies that are critical to U.S.<br />
national security interests. 3 This high risk area includes eight separate<br />
programs at <strong>DOD</strong> and the Departments of Commerce, State, and the<br />
Treasury, that each have roles in protecting critical technologies. We also<br />
reported that <strong>DOD</strong> program managers faced difficulties in identifying<br />
critical technologies, increasing the risk that some technologies may not<br />
be identified and resulting in, for example, inadequate anti-tamper<br />
protection that deters or delays exploitation of critical technologies. 4 We<br />
prepared this report under the authority of the Comptroller General to<br />
evaluate government programs as part of our continued effort to assist<br />
Congress with its oversight responsibilities regarding the protection of<br />
critical technologies. This report updates our 2006 work and reviews the<br />
extent to which (1) <strong>DOD</strong> has addressed identified weaknesses in<br />
updating and maintaining the MCTL and (2) programs use the MCTL as a<br />
resource in identifying critical technologies.<br />
To conduct our work, we reviewed the Export Administration Act of 1979,<br />
as amended, and reviewed Executive Orders, <strong>DOD</strong> directives and<br />
guidance regarding the use of the MCTL to inform export control and<br />
other policy decisions. We also obtained information and documentation<br />
on actions <strong>DOD</strong> has taken since our 2006 report to address the<br />
challenges facing the MCTL. We interviewed officials from the<br />
Departments of Commerce, Defense, State, and Treasury involved in the<br />
8 programs that we previously identified as central to the identification<br />
and protection of critical technologies about the extent to which they use<br />
the MCTL or other resources to identify critical technologies. See<br />
appendix I for more details on our scope and methodology; the 8<br />
programs on critical technology identification and protection are described<br />
in appendix II.<br />
We conducted this performance audit from May 2012 through January<br />
20<strong>13</strong>, in accordance with generally accepted government accounting<br />
standards. Those standards require that we plan and perform the audit to<br />
obtain sufficient, appropriate evidence to provide a reasonable basis for<br />
our findings and conclusions based on our audit objectives. We believe<br />
3 <strong>GAO</strong>, High Risk Series: An Update, <strong>GAO</strong>-07-310 (Washington, D.C.: January 2007).<br />
4 <strong>GAO</strong>, Defense Acquisitions: Departmentwide Direction Is Needed for Implementation of<br />
the Anti-tamper Policy, <strong>GAO</strong>-08-91 (Washington, D.C.: January 11, 2008).<br />
Page 2<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
that the evidence obtained provides a reasonable basis for our findings<br />
and conclusions based on our objectives.<br />
Background<br />
<strong>DOD</strong>’s key priority is maintaining military superiority. To this end, <strong>DOD</strong><br />
has established a department-wide policy to ensure that military and dualuse<br />
articles—items that have military and commercial applications—are<br />
treated as valuable national security resources and critical U.S. military<br />
technological advances are preserved. Under the Export Administration<br />
Act, which governs exports of dual-use items, <strong>DOD</strong> has primary<br />
responsibility for developing the MCTL, 5 which has broadened to a<br />
compendium of worldwide science and technology capabilities—existing<br />
or under development—that could significantly enhance or degrade U.S.<br />
military capabilities now or in the future. First published in 1980, the<br />
MCTL’s original purpose was to inform export licensing determinations<br />
and was to be integrated with expediency into the Commerce Control<br />
List, 6 which is maintained by the Secretary of Commerce and lists goods<br />
and technologies subject to export controls. The MCTL itself is not an<br />
export control list. Rather, according to <strong>DOD</strong>, it is the department’s<br />
recommendation for the criteria, parameters, and operating conditions<br />
that constitute militarily critical capabilities for defense and dual-use items<br />
that should be controlled. This knowledge can be used to limit a potential<br />
adversary’s access to technologies that would enable a significant military<br />
advantage.<br />
A range of <strong>DOD</strong> components, other federal agencies, and nongovernment<br />
entities need to know what is militarily critical to facilitate<br />
decision making in efforts to minimize or prevent the compromise of U.S.<br />
technological or military advantage. Knowledge about which technologies<br />
are critical and warrant protection from illegal or unauthorized access is<br />
needed for, among other things:<br />
• export controls and licensing decisions for dual-use and arms exports,<br />
which fall under the purview of the Departments of Commerce and<br />
State, respectively;<br />
5 50 U.S.C. app. § 2404(d)(2).<br />
6 50 U.S.C. app. § 2404(d)(4).<br />
Page 3<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
• consideration of anti-tamper protection of critical technologies on<br />
defense systems, which is primarily coordinated by anti-tamper<br />
officials and acquisition program offices within the military services;<br />
• review of foreign acquisitions of U.S. firms that are involved in the<br />
development or manufacture of defense technologies, which is<br />
coordinated with several federal agencies;<br />
• counterproliferation and counterintelligence programs and activities<br />
performed by <strong>DOD</strong> entities such as DSS to protect against industrial<br />
espionage; and<br />
• determinations about the public release of technical or scientific<br />
information.<br />
To meet the range of information requirements and enhance knowledge<br />
of what is militarily critical, the Militarily Critical Technologies Program<br />
within <strong>DOD</strong> oversees periodic assessment of dual-use and military<br />
technologies. The program, which has resided in various <strong>DOD</strong> offices<br />
throughout its 30-year history, currently is part of the Office of the<br />
Assistant Secretary of Defense for Research and Engineering with<br />
program oversight provided by the Technology Security Office. Since its<br />
inception in 1980, the program has contracted with the Institute for<br />
Defense Analyses, a federally funded research and development center,<br />
to provide scientific and technical support to develop and maintain the<br />
MCTL.<br />
Produced in both public and restricted versions, the list is divided into 20<br />
sections and covers a range of technologies that are of concern in the<br />
near term. Its content is derived from periodic technology assessments<br />
completed by various technology working groups consisting of experts<br />
from government, industry, and academia, who identify the parameters<br />
and associated values at which technologies are assessed as being<br />
militarily critical, based on definitions established by the Export<br />
Administration Act. To develop the list of critical technologies, <strong>DOD</strong> is<br />
required to consider the collection of elements of technologies—design,<br />
manufacturing, inspection, testing, operations, and maintenance—which,<br />
if exported to another country, would permit a significant advantage to a<br />
Page 4<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
military system of that country. 7 Using the latest version of the MCTL as a<br />
baseline, experts may add or remove technologies and make other<br />
modifications based on their assessments. The experts’ findings are<br />
presented in individual datasheets that profile a specific technology type.<br />
In addition to describing the technology and the technical issues that drive<br />
or influence the technology, the datasheets include quantitative and<br />
qualitative information to help facilitate determinations about the criticality<br />
of a technology. Figure 1 describes the key elements of a datasheet.<br />
7 The act requires that <strong>DOD</strong>, in developing the list of militarily critical technologies,<br />
consider (1) arrays of design and manufacturing know-how; (2) keystone manufacturing,<br />
inspection, and test equipment; (3) goods accompanied by sophisticated operation,<br />
application, or maintenance know-how; and (4) keystone equipment which would reveal or<br />
give insight into the design and manufacture of a United States military system. 50 U.S.C<br />
app. § 2404(d)(2).<br />
Page 5<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Figure 1: Key elements of a MCTL technology datasheet<br />
In total, the MCTL is comprised of more than 500 datasheets. As shown<br />
in table 1, the number of datasheets in each section ranges from 2 for<br />
biomedical technologies to 77 for lasers, optics, and sensors<br />
technologies, which are among the most targeted technologies by foreign<br />
entities, according to the DSS. <strong>DOD</strong> also created a companion<br />
compendium of emerging technologies being developed worldwide which<br />
includes basic research, applied research, and advanced technology<br />
development. As these emerging technologies mature and become a<br />
concern in the near term, they transition from the emerging list to the<br />
MCTL.<br />
Page 6<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Table 1: Technologies Covered by the MCTL<br />
Technology<br />
Number of<br />
subsections Number of data sheets<br />
Aeronautics 5 19<br />
Armaments and energetic materials <strong>13</strong> 53<br />
Biological 4 14<br />
Biomedical 2 2<br />
Chemical 3 19<br />
Directed energy systems 2 9<br />
Energy systems 4 25<br />
Electronics 5 47<br />
Ground systems 3 3<br />
Information systems 6 25<br />
Lasers, optics, and sensors 9 78<br />
Processing and manufacturing 6 50<br />
Marine systems 5 34<br />
Materials and Processes 3 26<br />
Nuclear systems 2 6<br />
Positioning, navigation, and time 5 30<br />
Information security 3 16<br />
Signature control 3 22<br />
Space systems 12 61<br />
Weapons effects 4 29<br />
Source: <strong>DOD</strong>.<br />
Despite <strong>DOD</strong>’s<br />
Actions to Address<br />
Weaknesses, MCTL Is<br />
Outdated and Updates<br />
Have Ceased<br />
<strong>DOD</strong> Took Steps to<br />
Respond to MCTL<br />
Weaknesses<br />
Since our 2006 report, <strong>DOD</strong> has taken steps aimed at clarifying the<br />
MCTL’s purpose and improving its utility. For example, to better<br />
understand users’ requirements, the program office solicited feedback<br />
from <strong>DOD</strong>, Commerce, State, and the Defense Technology Security<br />
Page 7<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Administration (DTSA), military services, and <strong>DOD</strong> counterintelligence<br />
offices. Based on users’ requirements provided at that time, <strong>DOD</strong><br />
determined that the MCTL’s purpose is to serve export control decisions.<br />
However, the department also recognized that the MCTL had expanded<br />
to serve other purposes such as counterintelligence and weapon system<br />
program protection, among other things. In addition, to allow users to<br />
more easily access the list content, <strong>DOD</strong> added a search engine<br />
capability to improve navigation and initiated efforts to convert the MCTL<br />
into a dynamic database to enable users to conduct advanced analytical<br />
queries such as identifying interdependencies across multiple technology<br />
types. In fiscal year 2007, the program’s budget was doubled to $4<br />
million, which program officials said was the appropriate funding level at<br />
the time to update and maintain the MCTL. To address concerns about<br />
the currency of the list, <strong>DOD</strong> began updating the MCTL to ensure that<br />
each technology section had been updated at least once since our 2006<br />
report.<br />
As part of these efforts to revamp the MCTL, <strong>DOD</strong> issued an instruction,<br />
in 2008, that clarifies MCTL implementation by outlining roles and<br />
responsibilities for informing the list’s content, specifying procedures for<br />
updating and maintaining the list, and designating the purposes for which<br />
certain <strong>DOD</strong> components are to use the MCTL. Among other things, the<br />
instruction:<br />
• specified that it is <strong>DOD</strong> policy that the MCTL serve as a technical<br />
reference to inform the development and implementation of<br />
technology security policies on international transfers of defenserelated<br />
goods, services, and technologies;<br />
• directed DTSA to consult the MCTL when developing <strong>DOD</strong> export<br />
control proposals, processing export license requests, and making<br />
technology transfer decisions;<br />
• specified that <strong>DOD</strong> components are to use the MCTL in making<br />
decisions about what information can be shared with foreign entities<br />
and provide subject matter expertise in identifying and assessing<br />
technologies for the MCTL;<br />
• required the development of a methodology—based on objective<br />
criteria that produce logical and repeatable results—for determining<br />
whether a given technology is militarily critical; and<br />
• accelerated the frequency of technology section updates from every 4<br />
years to every 2 years to keep pace with technology development.<br />
<strong>DOD</strong> also planned to migrate its emerging technologies list to the MCTL<br />
rather than maintaining two separate lists.<br />
Page 8<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
According to program officials, the findings from our previous report<br />
served as a roadmap for corrective action and informed the development<br />
of a new concept of operations, drafted in 2010, which aims to implement<br />
the MCTL program requirements outlined in the 2008 <strong>DOD</strong> instruction.<br />
Further, implementation of the operational concept has been limited due<br />
to funding constraints; however, it calls for enhancing the functionality of<br />
the MCTL by:<br />
• supporting real-time technology updates from approved contributors<br />
as information becomes available rather than updating a technology<br />
section with all its sub-sections and datasheets in a single effort;<br />
• transitioning to a web-based application that will make data available<br />
in various document formats;<br />
• providing a more robust capability to search across multiple MCTL<br />
technology sections which is beneficial in cases where a given<br />
technology may have relevance to multiple sections;<br />
• enabling users to track content changes to each section and providing<br />
rationale for changes and access to previous versions; and<br />
• linking a given technology to its corresponding reference in export<br />
control lists such as the Commerce Control List and U.S. Munitions<br />
List. 8<br />
MCTL Updates Have<br />
Ceased and Public Version<br />
Is Not Published Online<br />
After responding to our 2006 report with such actions as issuing the 2008<br />
instruction and developing the 2010 concept of operations, <strong>DOD</strong> ceased<br />
updating the MCTL in 2011 and disbanded the technology working<br />
groups that assessed technologies and produced updates because of<br />
funding constraints, according to officials. <strong>DOD</strong> provided $1.49 million for<br />
the program in fiscal year 2012, which program officials say is not<br />
sufficient to support the work needed to meet the <strong>DOD</strong> requirement to<br />
update each technology section every 2 years. In light of expected<br />
funding decreases that began in fiscal year 2012, officials decided not to<br />
invest resources in updating MCTL sections and instead dedicated<br />
resources to complete archiving of research material for section updates<br />
that were underway. In the past 6 years, each section has been updated<br />
at least once; however, the Militarily Critical Technologies Program has<br />
not fully met its goal to update each section at least every 2 years in<br />
8 The Commerce Control List is maintained by the Department of Commerce and lists<br />
goods and technologies subject to export controls. The U.S. Munitions List is compiled by<br />
the Department of State and specifies defense goods and services requiring a license in<br />
order to be exported.<br />
Page 9<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
accordance with the 2008 <strong>DOD</strong> instruction. The majority of updates—15<br />
of 20 technology sections—took place in 2009 as shown in figure 2.<br />
Figure 2: MCTL Section Updates by Calendar Year<br />
Although five technology sections—armament and energetic materials,<br />
materials and processing, processing and manufacturing, signature<br />
control, and weapons effects—were updated in accordance with the new<br />
Page 10<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
instruction, currently none of the MCTL sections are in compliance with<br />
the 2-year update requirement. While funding was not reduced until fiscal<br />
year 2012, none of the sections were updated in 2011 and only one<br />
section—space systems—was updated in 2012 to support <strong>DOD</strong>’s report<br />
to Congress on the risks associated with moving certain satellite<br />
components from the U.S. Munitions List to the Commerce Control List.<br />
Four sections were updated after 2009; however, none of these updates<br />
have been validated, published, or made available to users, according to<br />
officials. Technology areas that advance rapidly, such as information<br />
security and information systems, have only been fully updated once in<br />
the past 6 years. These two sections, along with sections on electronics;<br />
biological; and position, navigation, and timing technologies, have been<br />
prioritized for updates once resources become available given the<br />
increasingly dated content in the MCTL, the technologies’ impact on<br />
national security, and the rate at which these technologies are being<br />
produced.<br />
In light of the risks associated with using outdated content to support<br />
technology protection decisions, in March 2011 program officials removed<br />
access to the public version of the list from the <strong>DOD</strong> website that hosted<br />
the list. The restricted version is still available via the same website, but<br />
program officials have posted a disclaimer noting that the list is no longer<br />
being updated and that content is being provided for information purposes<br />
only and is no longer intended to support technology decisions.<br />
<strong>DOD</strong> has also halted its plans to integrate the compendium of emerging<br />
technologies with the MCTL. Similar to the MCTL, the emerging<br />
technologies list is no longer being updated despite <strong>DOD</strong> guidance to<br />
identify and assess such technologies. Some sections of the emerging<br />
technologies list are more outdated than the MCTL. For example, based<br />
on information we obtained from <strong>DOD</strong>, the biomedical and biological<br />
technology sections have not been updated since 1999 because of lack<br />
of funding and oversight to ensure that the Institute for Defense Analyses<br />
conducted the assessments and produced the necessary updates.<br />
Additionally, officials noted that recent decreased funding levels hinder<br />
their ability to implement the new concept of operations to maintain and<br />
update the MCTL. In anticipation that funding may eventually be restored<br />
to execute program requirements, the program has devoted resources to<br />
begin developing electronic tools for the MCTL envisioned in the new<br />
concept of operations. These efforts are taking place without input from<br />
users on their requirements because, according to program officials,<br />
users have not been responsive to their efforts to solicit user<br />
Page 11<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
equirements for the new automated system. Standards for Internal<br />
Control in the Federal Government specifies that agencies should obtain<br />
information from stakeholders that may have a significant impact on a<br />
program’s ability to achieve its goals. 9 Such information has an<br />
operational and budget impact and helps managers identify specific<br />
actions that need to be taken to achieve program goals and objectives.<br />
MCTL Is Not Being<br />
Used for Its Original<br />
Purpose, and Other<br />
Programs Face<br />
Challenges Because It<br />
Is Outdated<br />
The Absence of the MCTL’s<br />
Use in Export Control<br />
Decisions Remains<br />
Unchanged<br />
As we reported in 2006, the MCTL is not being used to inform export<br />
control or license determinations as originally established under the<br />
Export Administration Act. Specifically, Commerce, which is primarily<br />
responsible for reviewing and approving export licenses for dual-use and<br />
other items subject to the Export Administration Regulations, does not<br />
rely on the MCTL to inform such decisions. 10 Instead, Commerce relies<br />
on the technical and policy expertise of its staff and that of <strong>DOD</strong>, State,<br />
and the Department of Energy to inform decisions on export licenses and<br />
revisions to the Commerce Control List. Commerce officials reiterated<br />
longstanding concerns that the MCTL is too broad to be useful in<br />
reviewing individual export license applications. As early as 1982, soon<br />
after the MCTL was established, we reported that Commerce found the<br />
MCTL lacked the specificity needed to inform licensing decisions. 11 In<br />
2006, <strong>GAO</strong> again reported that Commerce officials were not using the list<br />
because the content is too broad and is not current. Commerce officials<br />
9 <strong>GAO</strong>, Standards for Internal Control in the Federal Government, <strong>GAO</strong>/AIMD-00-21.3.1<br />
(Washington, D.C.: November 1999).<br />
10 Commerce shares this responsibility with <strong>DOD</strong>, State, and the Department of Energy.<br />
11 <strong>GAO</strong>, Export Control Regulation Could Be Reduced Without Affecting National Security,<br />
<strong>GAO</strong>/ID-82-14, (Washington, D.C.: May 26, 1982).<br />
Page 12<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
also added that the MCTL may need to be produced, in part, as a<br />
classified product to better serve export control and licensing decisions.<br />
Although not specifically required to consult the MCTL, State also does<br />
not use it to inform its export license decisions for military technologies or<br />
in its review and approval of Foreign Military Sales. Instead, in<br />
deliberating export license applications State defers to DTSA for technical<br />
expertise. Commerce and State officials noted that the absence of the<br />
MCTL and suspension of MCTL updates have not impeded their ability to<br />
conduct export control or licensing functions.<br />
DTSA, which plays a central role in export controls and technology<br />
transfer and security functions, also does not consult the MCTL, despite<br />
<strong>DOD</strong> guidance to do so for licensing and export control decisions. Under<br />
the Export Administration Act, the MCTL is to be sufficiently specific to<br />
guide export licensing decisions. However, DTSA, Commerce, and State<br />
officials agreed that the MCTL lacks the specificity needed to inform such<br />
decision making. In addition to export controls decisions, DTSA provides<br />
input on behalf of <strong>DOD</strong> on decisions related to proposed foreign<br />
acquisitions of U.S. companies to determine whether the transaction<br />
involves technologies critical to U.S. interests. In its assessments of<br />
militarily critical technologies for export controls or other purposes, DTSA<br />
relies on its resident experts—which includes 50 engineers, who are<br />
considered to have unique knowledge of military and dual-use systems<br />
and capabilities—because these experts regularly consult with industry to<br />
bolster their knowledge of new capabilities and technologies and<br />
frequently seek the military services’ perspectives on the exportability of<br />
military and dual-use items. In addition, DTSA relies on its informal<br />
network of experts across <strong>DOD</strong>, the defense industrial base, and the<br />
research and development community in lieu of relying on a technical<br />
reference such as the MCTL, which they describe as a static product that<br />
has had difficulty keeping current with technology advancements.<br />
According to DTSA officials, its network of experts has a greater<br />
understanding of the technologies that DTSA reviews than can be<br />
obtained from the MCTL because DTSA’s network of experts can provide<br />
up-to-date information about a rapidly-developing technology that is not<br />
easily captured in a reference publication.<br />
While DTSA officials do not directly consult the MCTL, DTSA has<br />
convened its own technical working groups, that, in the past, have<br />
enlisted experts from the MCTL technology working groups to provide<br />
assistance in developing and evaluating proposed changes to the<br />
Wassenaar Arrangement—a multilateral export control regime with 41<br />
member countries that focuses on controlling the spread of certain<br />
Page <strong>13</strong><br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
conventional arms and sensitive dual-use items. 12 DTSA officials stated<br />
that disbanding the technology working groups has not adversely affected<br />
DTSA’s ability to carry out its responsibilities, since DTSA has its own inhouse<br />
technology working groups, which draw from the same pool of<br />
expertise as the MCTL technology working groups.<br />
An official from the Militarily Critical Technologies Program cautioned that<br />
using DTSA’s informal approach to determine critical technologies<br />
impedes <strong>DOD</strong>’s ability to maintain a record of these decisions for future<br />
analysis and decision making and does not ensure the use of objective<br />
criteria to produce repeatable results. Officials from the Militarily Critical<br />
Technologies Program explained that the MCTL is not an export control<br />
list, but rather an inventory of military and dual-use items that pose a<br />
threat to U.S. interests if obtained by an adversary. As provided in the<br />
Export Administration Act, the list is to be sufficiently specific to guide<br />
determinations regarding export licensing decisions.<br />
Other Programs Rely on<br />
the MCTL and Face<br />
Challenges Because<br />
Updates Have Ceased<br />
The purpose of the MCTL has evolved from informing export control and<br />
licensing decisions to serving various <strong>DOD</strong> programs, such as antitamper<br />
and counter-espionage. While these functions are outside of the<br />
original purpose of the MCTL, these programs and initiatives require<br />
knowledge on what is militarily critical. While these programs have<br />
different missions, they refer to the MCTL and have integrated this<br />
technical reference into their processes. In an effort to create a consistent<br />
and standardized method for identifying critical technologies across<br />
multiple programs, the Army and Navy have issued guidance that<br />
designates the MCTL as a reference that can be used to support the<br />
identification of critical technologies as part of the broader spectrum of<br />
critical program information. <strong>13</strong> For example, the Navy issued guidance<br />
identifying the MCTL as an available resource for acquisition programs to<br />
use in determining critical technologies, among other things. Similarly, the<br />
Army Research and Technology Protection Center Handbook<br />
recommends that Army acquisition programs use the MCTL to categorize<br />
12 Wassenaar Arrangement has two control lists: a munitions list and dual-use list.<br />
<strong>13</strong> Critical program information includes components of an acquisition program such as<br />
information, technologies, or systems that, if compromised, would degrade combat<br />
mission effectiveness, shorten the expected combat effective life of the system; reduce<br />
technological advantage; significantly alter program direction, or enable an adversary to<br />
counter, copy, or reverse engineer the technology or capability.<br />
Page 14<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
their critical technologies according to the applicable MCTL technology<br />
sections. Additionally, the <strong>DOD</strong> instruction regarding the MCTL that was<br />
issued in 2008 recognized that the list informs a range of functions<br />
including intelligence, counterintelligence, and weapon systems program<br />
protection, among others.<br />
In the absence of MCTL updates, <strong>DOD</strong> efforts that have a need for a<br />
technical reference to inform critical technology protection now face<br />
challenges. For example,<br />
• <strong>DOD</strong>’s Anti-Tamper Executive Agent integrated the MCTL into its<br />
critical technology tool, which was developed to provide greater<br />
consistency across <strong>DOD</strong> programs in identifying critical technologies<br />
and determining whether anti-tamper solutions should be applied. 14<br />
Using this tool, <strong>DOD</strong> acquisition program managers draw on the<br />
MCTL in determining which technologies are critical to their weapon<br />
systems and need anti-tamper protection to deter or delay exploitation<br />
of critical technologies. While <strong>DOD</strong> anti-tamper officials had a<br />
generally favorable view of the premise of the MCTL, they expressed<br />
concerns about the currency of the list as well as delays in publishing<br />
updated content, noting that in some instances, the content had<br />
become outdated by the time the information was published. Similar<br />
to Commerce officials, <strong>DOD</strong> anti-tamper officials noted that greater<br />
specificity in describing critical parameters is needed for the MCTL to<br />
be fully useful; however, this would require that the list be produced<br />
as a classified reference. The critical technologies tool is intended to<br />
be widely used across <strong>DOD</strong> and is also used by the defense industry,<br />
which plays a role in the initial identification of critical technologies<br />
and associated protective measures. Recently, <strong>DOD</strong> anti-tamper<br />
officials met with industry representatives to discuss a range of issues<br />
including the impact of suspending MCTL updates. Given the<br />
suspension of MCTL technology assessments and updates, the list<br />
may no longer be a viable reference for assisting in anti-tamper<br />
decisions. As the MCTL content ages, the list may increasingly lose<br />
relevance to ongoing acquisition programs. The absence of updates<br />
for technologies that advance rapidly, such as microelectronics, could<br />
render the related MCTL technology section unreliable. While a<br />
replacement for the MCTL has not yet been identified, a Navy anti-<br />
14 In addition to the MCTL, the tool also includes the Missile Technology Control Regime<br />
and a stealth technology reference.<br />
Page 15<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
tamper official noted that export control lists such as the Commerce<br />
Control List or U.S. Munitions List would need to be bolstered with<br />
additional information to provide the utility that the MCTL provides in<br />
program protection efforts to be considered as potential alternatives.<br />
Currently, however, as part of the President’s export control reform<br />
initiative, efforts are underway to restructure the U.S. Munitions List<br />
and Commerce Control List in order to create a single positive control<br />
list, which would describe items using objective criteria, such as<br />
qualities to be measured—accuracy, speed, and wavelength—as well<br />
as units of measure—such as hertz and horsepower. Navy antitamper<br />
officials stated that it is too early to tell whether this will be a<br />
viable replacement as the reform efforts are in the early stages.<br />
• The MCTL’s taxonomy was adapted for use in <strong>DOD</strong>’s Acquisition<br />
Security Database, which the department has adopted to aid<br />
information sharing on critical program information—including critical<br />
technologies—across <strong>DOD</strong> acquisition programs. Within the<br />
database, the MCTL does not function as a decision-making tool, but<br />
rather ensures uniformity in how critical technology determinations are<br />
cataloged, referenced, and searched. <strong>DOD</strong> officials noted that the<br />
MCTL taxonomy provides a useful means for grouping technologies<br />
that acquisition programs have identified as critical. Such grouping of<br />
acquisition programs’ critical technologies facilitates more efficient<br />
analysis of horizontal protection and helps minimize inconsistent<br />
protections when identical or similar technologies are present in<br />
multiple weapon systems. In the absence of a replacement, the MCTL<br />
remains part of the database, though <strong>DOD</strong> officials stated that<br />
relevance of the MCTL content will diminish over time given the rapid<br />
changes in technologies for many of the technologies covered by the<br />
MCTL.<br />
• DSS uses the MCTL to support its counter-espionage activities.<br />
Specifically, DSS monitors suspicious attempts to obtain illegal or<br />
unauthorized access to restricted information. DSS refers to the<br />
MCTL to identify and define the U.S. defense technologies being<br />
targeted by foreign entities. Additionally, the list of militarily critical<br />
technologies allows DSS to assess the overlap and connections<br />
between different categories of technologies which, in turn, bolsters its<br />
analysis. DSS had previously relied on the compendium of emerging<br />
technologies for its analysis, but found it to be outdated and too broad<br />
for its purposes. Despite the aging content and lack of updates, DSS<br />
first reported using the MCTL in its 2011 report on foreign targeting of<br />
U.S. technologies. DSS officials consider the MCTL to be a standard<br />
reference that is recognized by the broader community involved in<br />
identifying and protecting critical technologies. Unlike other users,<br />
DSS does not require specificity in the MCTL, but uses the broader<br />
Page 16<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
descriptions of the technology areas. Given the lack of MCTL<br />
updates, DSS officials considered adopting other references they had<br />
identified within <strong>DOD</strong>, Commerce, and State. For example, it<br />
considered using a list relating to items of proliferation concern, but<br />
decided against it because the list was too broad and not organized in<br />
a manner that would meet DSS’s needs. Faced with difficulty in<br />
finding a suitable alternative to the MCTL that sufficiently meets its<br />
needs, DSS now plans to develop its own technology reference. Such<br />
an undertaking will be time consuming and diverts resources from<br />
other missions, according to DSS officials.<br />
• <strong>DOD</strong> currently has efforts underway to inform a methodology for<br />
vetting potential critical technologies. However, <strong>DOD</strong> is unable to<br />
consider the MCTL as part of this methodology because of concerns<br />
about the currency of the list and the suspension of updates. A <strong>DOD</strong><br />
official we spoke with noted that other resources such as the<br />
Commerce Control List, Missile Technology Control Regime, 15 U.S.<br />
Munitions List, and Wassenaar Arrangement Dual-Use and Munitions<br />
List are being considered instead of the MCTL. It is too early to tell<br />
whether this methodology will meet the needs of programs that<br />
currently use the MCTL and help to standardize critical technology<br />
identification as the effort has not yet been completed.<br />
Scientists and researchers involved in the development and manufacture<br />
of critical technologies for <strong>DOD</strong> may also have a need for a standardized<br />
reference and refer to the MCTL to make determinations about the public<br />
release of scientific and technical information for existing and emerging<br />
technologies. For example, a representative from a federally-funded<br />
research and development center we spoke with noted that it continues to<br />
rely on the MCTL despite its aging content as the center has not yet<br />
identified a suitable replacement that is as user-friendly. However, using<br />
an outdated resource increases the risk of unauthorized disclosure about<br />
existing or developing technologies, since an aging MCTL might not<br />
include new technology types developed subsequent to publication and<br />
could result in inadvertent disclosure. The risk of such disclosures poses<br />
a threat to U.S. interests and could result in fines or other penalties. Amid<br />
concerns about the currency of the MCTL, the official told us the center is<br />
considering adopting the Commerce Control List in lieu of the MCTL, but<br />
15 The Missile Technology Control Regime (MTCR) is a multi-lateral export control regime<br />
with 34 member countries. The MTCR members control a common list of items which is<br />
contained in the MTCR annex and covers rocket systems and UAVs, as well as a broad<br />
range of equipment, software, and technology.<br />
Page 17<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
is waiting for completion of the ongoing export control reform efforts that<br />
includes establishing a positive control list before pursuing this<br />
alternative.<br />
Conclusions<br />
Since its inception, the MCTL has experienced challenges in meeting its<br />
original purpose to support export licensing decisions as established by<br />
the Export Administration Act. Consequently, the export control<br />
community has identified ways to obtain <strong>DOD</strong> input without the MCTL.<br />
Despite this, use of the list has evolved to meet other needs for a<br />
technical reference that provides a baseline to help achieve consistency<br />
in identifying what technologies are critical in order to maintain a<br />
technological advantage for the warfighter and to preserve U.S.<br />
investment in critical technologies. Faced with uncertainty about the<br />
availability of the MCTL, programs are considering alternatives, and in<br />
one case, developing their own technical reference, which may not be in<br />
the best interest of the federal government as such actions redirect<br />
resources from other critical missions and may result in unnecessary<br />
duplication and inconsistent approaches to identify and protect critical<br />
technologies. Having a technical reference that is current and available in<br />
a format that meets users’ needs could help to minimize the risk of<br />
inconsistent identification and protection of U.S. critical weapon systems<br />
and technologies and, in turn, preserve U.S. technological edge for the<br />
warfighter. Gaining an understanding of users’ information requirements<br />
on what is militarily critical is an important first step as <strong>DOD</strong> builds a case<br />
for future program funding for the MCTL or other approaches.<br />
Recommendations for<br />
Executive Action<br />
Recognizing that there are widespread requirements to know what is<br />
militarily critical, we recommend that the Secretary of Defense take the<br />
following two actions:<br />
1. determine the best approach to meeting users’ needs for a technical<br />
reference, whether it be MCTL, other alternatives being used, or some<br />
combination thereof; and<br />
2. ensure that resources are coordinated and efficiently devoted to<br />
sustain the approach chosen.<br />
If <strong>DOD</strong> determines that the MCTL is not the optimal solution for aiding<br />
programs’ efforts to identify militarily critical technologies, we also<br />
recommend that the Secretary of Defense seek necessary relief from<br />
<strong>DOD</strong>’s current responsibility.<br />
Page 18<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Agency Comments<br />
We provided a copy of this report to <strong>DOD</strong>, Commerce, and State for their<br />
review and comment. In its written comments, reproduced in appendix III,<br />
<strong>DOD</strong> concurred with our recommendations. <strong>DOD</strong>, Commerce, and State<br />
provided technical comments that we have incorporated as appropriate.<br />
We are sending copies of this report to interested congressional<br />
committees, as well as the Secretaries of Commerce, Defense, State,<br />
and Treasury. In addition, the report will be available at no charge on<br />
<strong>GAO</strong>’s web site at http://www.gao.gov.<br />
If you or your staff have any questions about this report, please contact<br />
me at (202) 512-4841 or martinb@gao.gov. Contact points for our Offices<br />
of Congressional Relations and Public Affairs may be found on the last<br />
page of this report. <strong>GAO</strong> staff who made key contributions to this report<br />
are listed in appendix IV.<br />
Belva M. Martin<br />
Director<br />
Acquisition and Sourcing Management<br />
Page 19<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
List of Committees<br />
The Honorable Carl Levin<br />
Chairman<br />
The Honorable James M. Inhofe<br />
Ranking Member<br />
Committee on Armed Services<br />
United States Senate<br />
The Honorable John Kerry<br />
Chairman<br />
The Honorable Bob Corker<br />
Ranking Member<br />
Committee on Foreign Relations<br />
United States Senate<br />
The Honorable Howard P. McKeon<br />
Chairman<br />
The Honorable Adam Smith<br />
Ranking Member<br />
Committee on Armed Services<br />
House of Representatives<br />
The Honorable Ed Royce<br />
Chairman<br />
The Honorable Eliot L. Engel<br />
Ranking Member<br />
Committee on Foreign Affairs<br />
House of Representatives<br />
Page 20<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix I: Scope Appendix I: Scope and Methodology<br />
To determine the extent to which the Department of Defense (<strong>DOD</strong>)<br />
addressed identified weaknesses in updating and maintaining the<br />
Militarily Critical Technologies List (MCTL), we obtained program<br />
documents such as the MCTL Concept of Operations which was drafted<br />
in 2010. We also reviewed various <strong>DOD</strong> policy documents such as <strong>DOD</strong><br />
Instruction 3020.46, The Militarily Critical Technologies List, which was<br />
issued in 2008. We interviewed officials from the Militarily Critical<br />
Technologies Program and the Institute for Defense Analyses (IDA) about<br />
initiatives or actions taken to address MCTL shortcomings and obtained<br />
program funding data. Using program documentation and reviews of<br />
MCTL content available on the IDA and Defense Technology Information<br />
Center websites, we assessed <strong>DOD</strong>’s efforts to update MCTL technology<br />
sections in accordance with requirements set forth in <strong>DOD</strong> policy. We<br />
also interviewed officials within <strong>DOD</strong> and the Departments of Commerce,<br />
State, and Treasury to obtain their perspectives on the MCTL. We<br />
compared <strong>DOD</strong>’s efforts to enhance the MCTL with criteria in Standards<br />
for Internal Control in the Federal Government specifically that agency<br />
management should ensure there are adequate means of obtaining<br />
information from external stakeholders who may have a significant impact<br />
on the agency achieving its goals. 1<br />
To determine the extent to which programs use the MCTL as a resource<br />
to identify critical technologies, we interviewed officials from <strong>DOD</strong>,<br />
Commerce, State, and Treasury. These officials represent programs that<br />
we have previously identified as central to the identification and protection<br />
of critical technologies. (See appendix II for a description of these<br />
programs.) Within <strong>DOD</strong>, we discussed use of the MCTL with officials from<br />
various offices including the Anti-Tamper Executive Agent, Defense<br />
Security Cooperation Agency, Defense Security Service, Defense<br />
Technology Security Administration, Deputy Assistant Secretary of<br />
Defense for Systems Engineering, and the U.S. Navy Anti-Tamper<br />
Technical Authority. We also interviewed representatives from a defense<br />
contractor and a federally funded research and development center about<br />
their use of the MCTL. We also reviewed applicable statutory provisions<br />
such as the Export Administration Act of 1979 to identify the purposes for<br />
which the MCTL was established. To assess the degree to which the<br />
MCTL has been integrated in various <strong>DOD</strong> program activities and<br />
initiatives, we interviewed <strong>DOD</strong> officials and reviewed department and<br />
1 <strong>GAO</strong>/AIMD-00-21.3.1.<br />
Page 21<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix I: Scope and Methodology<br />
military service-level guidance and policy documents regarding the use of<br />
the MCTL to inform export control and other policy decisions.<br />
We conducted this performance audit from May 2012 through January<br />
20<strong>13</strong> in accordance with generally accepted government auditing<br />
standards. Those standards require that we plan and perform the audit to<br />
obtain sufficient, appropriate evidence to provide a reasonable basis for<br />
our findings and conclusions based on our audit objectives. We believe<br />
that the evidence obtained provides a reasonable basis for our findings<br />
and conclusions based on our audit objectives.<br />
Page 22<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix II: U.S. Technology<br />
Appendix II: U.S. Government Technology<br />
Protection Programs<br />
Protection Programs<br />
The U.S. government has a number of programs to identify and protect<br />
critical technologies. These programs include those that regulate the<br />
exports of defense items and investigate the proposed foreign<br />
acquisitions of U.S. national-security related companies. Multiple federal<br />
agencies administer or play a role in these programs which are described<br />
in Table 2. In 2007, <strong>GAO</strong> named these programs as part of a high risk<br />
area, Protection of Technologies Critical to U.S. National Security<br />
Interests. 1<br />
Table 2: U.S. Government Programs for the Identification and Protection of Critical Technologies<br />
Program Agencies Program’s purpose<br />
Militarily Critical Technologies Defense<br />
Identify and assess technologies that are critical for retaining U.S.<br />
Program<br />
military dominance<br />
Dual-Use Export Control<br />
System<br />
Arms Export Control System<br />
Foreign Military Sales<br />
Program<br />
National Disclosure Policy<br />
Process<br />
Committee on Foreign<br />
Investment in the United<br />
States (CFIUS)<br />
National Industrial Security<br />
Program<br />
Commerce (lead), State, Central<br />
Intelligence Agency, Defense,<br />
Energy, Homeland Security, and<br />
Justice<br />
State (lead), Defense, Homeland<br />
Security, and Justice<br />
State and Defense (leads),<br />
Homeland Security<br />
State, Defense, and intelligence<br />
community<br />
Treasury (lead), Commerce,<br />
Defense, Homeland Security,<br />
Justice, State, and six offices<br />
from the Executive Office of the<br />
President<br />
Defense (lead), applicable to<br />
other departments and agencies<br />
Regulate export of dual-use items by U.S. companies after<br />
weighing economic, national security, and foreign policy interests;<br />
the Commerce Control List is maintained under this system<br />
Regulate export of arms by U.S. companies, giving primary to<br />
national security and foreign policy concerns; the U.S. Munitions<br />
List is maintained under this system<br />
Provide foreign governments with U.S. defense articles and<br />
services to help promote interoperability while lowering the unit<br />
costs of weapon systems<br />
Determine the releasability of classified military information,<br />
including classified weapons and military technologies, to foreign<br />
governments<br />
Investigate the impact of foreign acquisitions on national security<br />
and to suspend or prohibit acquisitions that might threaten<br />
national security<br />
Ensure that contractors, licensees, and grantees appropriately<br />
safeguard classified information in their possession by ensuring<br />
uniformity in security procedures<br />
Anti-Tamper Policy Defense Establish anti-tamper techniques on weapons systems when<br />
warranted as a method to protect critical technologies on these<br />
systems, thereby preventing and/or delaying exploitation of critical<br />
technologies in U.S. weapons systems<br />
Source: <strong>GAO</strong>.<br />
1 <strong>GAO</strong>-07-310.<br />
Page 23<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix III: from the Department<br />
Appendix III: Comments from the<br />
of Defense<br />
Department of Defense<br />
Page 24<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix III: Comments from the Department<br />
of Defense<br />
Page 25<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
Appendix IV: <strong>GAO</strong> and Staff<br />
Appendix IV: <strong>GAO</strong> Contact and Staff<br />
Acknowledgments<br />
Acknowledgments<br />
<strong>GAO</strong> Contact<br />
Staff<br />
Acknowledgments<br />
Belva Martin, (202) 512-4841 or martinb@gao.gov<br />
In addition to the contact named above, John Neumann, Assistant<br />
Director and Candice Wright, analyst-in-charge, managed this review and<br />
Emily McClintock and Jonathan Mulcare made significant contributions to<br />
the work. Richard Burkard and Hai Tran provided legal support and<br />
technical expertise, respectively. Laura Greifner provided assistance in<br />
report preparation and Roxanna Sun provided graphics support.<br />
(121070)<br />
Page 26<br />
<strong>GAO</strong>-<strong>13</strong>-<strong>157</strong> Protecting Defense Technologies
<strong>GAO</strong>’s Mission<br />
Obtaining Copies of<br />
<strong>GAO</strong> Reports and<br />
Testimony<br />
Order by Phone<br />
Connect with <strong>GAO</strong><br />
To Report Fraud,<br />
Waste, and Abuse in<br />
Federal Programs<br />
Congressional<br />
Relations<br />
Public Affairs<br />
The Government Accountability Office, the audit, evaluation, and<br />
investigative arm of Congress, exists to support Congress in meeting its<br />
constitutional responsibilities and to help improve the performance and<br />
accountability of the federal government for the American people. <strong>GAO</strong><br />
examines the use of public funds; evaluates federal programs and<br />
policies; and provides analyses, recommendations, and other assistance<br />
to help Congress make informed oversight, policy, and funding decisions.<br />
<strong>GAO</strong>’s commitment to good government is reflected in its core values of<br />
accountability, integrity, and reliability.<br />
The fastest and easiest way to obtain copies of <strong>GAO</strong> documents at no<br />
cost is through <strong>GAO</strong>’s website (http://www.gao.gov). Each weekday<br />
afternoon, <strong>GAO</strong> posts on its website newly released reports, testimony,<br />
and correspondence. To have <strong>GAO</strong> e-mail you a list of newly posted<br />
products, go to http://www.gao.gov and select “E-mail Updates.”<br />
The price of each <strong>GAO</strong> publication reflects <strong>GAO</strong>’s actual cost of<br />
production and distribution and depends on the number of pages in the<br />
publication and whether the publication is printed in color or black and<br />
white. Pricing and ordering information is posted on <strong>GAO</strong>’s website,<br />
http://www.gao.gov/ordering.htm.<br />
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or<br />
TDD (202) 512-2537.<br />
Orders may be paid for using American Express, Discover Card,<br />
MasterCard, Visa, check, or money order. Call for additional information.<br />
Connect with <strong>GAO</strong> on Facebook, Flickr, Twitter, and YouTube.<br />
Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.<br />
Visit <strong>GAO</strong> on the web at www.gao.gov.<br />
Contact:<br />
Website: http://www.gao.gov/fraudnet/fraudnet.htm<br />
E-mail: fraudnet@gao.gov<br />
Automated answering system: (800) 424-5454 or (202) 512-7470<br />
Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-<br />
4400, U.S. Government Accountability Office, 441 G Street NW, Room<br />
7125, Washington, DC 20548<br />
Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800<br />
U.S. Government Accountability Office, 441 G Street NW, Room 7149<br />
Washington, DC 20548<br />
Please Print on Recycled Paper.